Cisco Patches Critical Vulnerabilities in SD-WAN, DNA Center, SSMS Products


Cisco this week released patches to address a significant number of vulnerabilities across its product portfolio, including several critical flaws in SD-WAN products, DNA Center, and Smart Software Manager Satellite (SSMS).

Several command injection bugs addressed in SD-WAN products could allow an attacker to perform actions as root on the affected devices, the most important of which is rated critical severity, featuring a CVSS score of 9.9.

Tracked as CVE-2021-1299, the flaw resides in the web-based management interface of SD-WAN vManage software and could be exploited remotely, without authentication, to execute arbitrary commands as the root user. An attacker looking to exploit the flaw would have to submit crafted input to the device template configuration.

Five other command injection flaws were addressed in SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller Software. Two of them were rated high severity, while the other three were considered medium severity.

Cisco also patched two buffer overflow issues in SD-WAN, the most important of which is tracked as CVE-2021-1300 and features a CVSS score of 9.8. The flaw could lead to arbitrary code execution with root privileges.

Impacted products include IOS XE SD-WAN, SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller software.

A critical vulnerability addressed in DNA Center could be exploited to perform command injection attacks. Tracked as CVE-2021-1264 and featuring a CVSS score of 9.6, the flaw exists because of insufficient input validation by the Command Runner tool. Cisco DNA Center releases prior to version 1.3.1.0 are affected.

Three critical bugs (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142; CVSS score of 9.8) were patched in the web UI of Smart Software Manager Satellite. The flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary commands.

Two other issues (CVE-2021-1139, CVE-2021-1141; CVSS score of 8.8) also addressed in the software could be exploited remotely, without authentication, to execute arbitrary commands as the root user. Cisco Smart Software Manager On-Prem releases 6.3.0 and later contain fixes for all of these flaws.

Cisco says it is not aware of public exploits or attacks that target any of these vulnerabilities.

This week, the company also released patches for multiple other high- and medium-severity flaws in SD-WAN, DNA Center, Data Center Network Manager, SSMS, Advanced Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows, Web Security Appliance (WSA), Umbrella, Unified Communications products, Elastic Services Controller (ESC), Email Security Appliance (ESA), Content Security Management Appliance (SMA), and StarOS.

Information on all of the addressed vulnerabilities can be found on Cisco’s security portal.

Related: Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers

Related: Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Related: Cisco Webex Vulnerability Allows Ghost Access to Meetings

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:



Source link

Latest articles

Amazon Dismisses Claims Alexa ‘Skills’ Can Bypass Security Vetting Process

Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or...

The hidden business costs of working remotely

The benefits of working remotely are numerous, but studies are finding there are significant hidden...

HYAS Raises $16 Million to Hunt Adversary Infrastructure

HYAS, a Victoria, Canada-based provider of threat intelligence based on adversary infrastructure, announced this week that it has closed a $16 million Series...

Stalkerware Volumes Remain Concerningly High, Despite Bans

COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware. Source link...

Related articles

Leave a reply

Please enter your comment!
Please enter your name here